[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 910
  • Last Modified:

How can I stop warning re mysterious trojan or clean my PC of mchinjdrv.sys?

Recently my AVG software has reported on startup that a trojan threat has been detected in c:\windows\system32\drivers\mchinjdrv.sys.

I've done some research and some say that this is a legit thing and others say it is indeed a trojan threat.  When the warning appears I can choose to Heal but it can't find the file so can't heal it.  I can choose to move it to the Virus Vault but as it can't find it there's nothing to move.  If I choose to Ignore it the box goes away but reappears again on startup.

Regedit won't let me chop the Legacy entries out of the registry and a search of the whole PC (including hidden files) can't find this file either.  I've run a full AVG virus scan and that comes up clean as do scans with Advanced WIndowsCare, RegCure, XsoftSpy and a scanner I tried from Sophos which claimed to search for hidden rootkits.

I've seen a similar issue reported in EE and it mentions something called Rootkit Unlocker (or something like that) but when I looked in to that there was some doubt about it as someone alleged that this software added something to the system to defend against it ever being removed so in a way that's almost as bad as this current possible security risk.

The only way I can see to rid myself of this dialog is to add an exclusion in AVG not to reference systems32\drivers when it starts up which is convenient but hardly secure.

Can anyone advise on how I can get rid of this thing?  Whether it's legit or not, if it poses a threat I'd rather not have it hanging around!  I'm running XP inc SP3 and all latest patches and AVG v8.

Thanks in advance.
0
funasset
Asked:
funasset
1 Solution
 
JoWickermanCommented:
Hi,

Try the following:

Download process explorer from any site. (ProcessExplorer.zip)
Run Process Explorer
Find the process mchinjdrv.sys tree
Kill tree
Go to dos prompt
c:\> dir /S /AH /L mchinj*.sys
If you find the file:
attrib -s -h -r mchinjdrv.sys
rename mchinjdrv.sys mchinjdrv.old

Delete mchinjdrv.old

I think this should work.

Let me know,
Cheers.
0
 
MattRichardsonCommented:
0
 
funassetAuthor Commented:
Thanks - I'll look in to both of these when I get home.

I'll get back to you!
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
funassetAuthor Commented:
Nope.  Tried the ProcessExplorer and there was no entry for mchinjdrv.sys and it didn't show up in DOS using the search either.  I'm mystified as to where this damned thing is!!
0
 
ThinkSmartIncCommented:
I did some digging for you on this issue. mchinjdrv.sys is for MadCodeHook Injection Driver.  It is used in programs like Spy Sweeper to do injection tests in order to catch malicious code.  Unfortunately, the way it's loaded is that the file is dropped just long enough to load into memory and then is deleted, hence why you can never locate it.  If you are using Spy Sweeper, I'd recommend putting it into your exemption list, or use another Anti-Spyware program.  Below are a couple of sites that you can check out to give you more information regarding mchinjdrv.sys:

http://forums.comodo.com/virusmalware_removal_assistance/mchinjdrvsys-t9257.0.html

http://www.wilderssecurity.com/showthread.php?t=47024
0
 
funassetAuthor Commented:
Thanks for the links and I appreciate the digging.  It's a pesky little so-and-so isn't it.

It's AVG's Resident Shield that complains about it - I guess a recent signature update is why it's suddenly picking it up.  The trouble is that as far as I can see I can't add this specific file reference to it's exceptions list.  I can only add the path so that will mean telling AVG not to look in the whole system32\drivers directory which doesn't seem safe to me.  

I thought AVG was one of best AV/anti-spam tools around so if I have to replace it in order to get rid of this warning I'm not entirely sure what to put in it's place.  I can't find an email address or URL to contact the makers of AVG directly either so that I can pick their brains.  Tricky.

0
 
ThinkSmartIncCommented:
You can go to http://www.avg.com/support-technical and enter your license from AVG to get support.
0
 
funassetAuthor Commented:
Thanks.  In the past couple of days the warning hasn't appeared on startup 9 out of 10 times - why it appears on the other 1 occasion I really don't know.  I've scanned my PC with everything I can get my hands on and all reports indicate no infection so although this hook can be used by nasty hackers who need to get out more, it would seem that in this instance it is indeed a false positive and I'll have to contact AVG.

I appreciate your help.

Cheers.
0
 
funassetAuthor Commented:
Many thanks for your efforts.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now